def copy_group(avg):
group_id = avg.replace('AVG-', '')
group_data = (db.session.query(
CVEGroup, CVE, func.group_concat(
CVEGroupPackage.pkgname,
' ')).filter(CVEGroup.id == group_id).join(CVEGroupEntry).join(
CVE).join(CVEGroupPackage).group_by(CVEGroup.id).group_by(
CVE.id).order_by(CVE.id)).all()
if not group_data:
return not_found()
group = group_data[0][0]
issues = [cve for (group, cve, pkg) in group_data]
issue_ids = [cve.id for cve in issues]
pkgnames = set(
chain.from_iterable(
[pkg.split(' ') for (group, cve, pkg) in group_data]))
form = GroupForm()
form.advisory_qualified.data = group.advisory_qualified
form.affected.data = group.affected
form.bug_ticket.data = group.bug_ticket
form.cve.data = '\n'.join(issue_ids)
form.fixed.data = group.fixed
form.notes.data = group.notes
form.pkgnames.data = '\n'.join(sorted(pkgnames))
form.reference.data = group.reference
form.status.data = status_to_affected(group.status).name
return render_template('form/group.html',
title='Add AVG',
form=form,
CVEGroup=CVEGroup,
action='/avg/add')
def recalc_group_status():
updated = []
groups = (db.session.query(
CVEGroup, func.group_concat(CVEGroupPackage.pkgname,
' ')).join(CVEGroupPackage).group_by(
CVEGroupPackage.group_id)).all()
for group, pkgnames in groups:
pkgnames = pkgnames.split(' ')
new_status = affected_to_status(status_to_affected(group.status),
pkgnames[0], group.fixed)
if group.status is not new_status:
updated.append(dict(group=group, old_status=group.status))
group.status = new_status
db.session.commit()
return updated
def edit_group(avg):
group_id = avg.replace('AVG-', '')
group_data = (db.session.query(CVEGroup, CVE, func.group_concat(CVEGroupPackage.pkgname, ' '), Advisory)
.filter(CVEGroup.id == group_id)
.join(CVEGroupEntry, CVEGroup.issues)
.join(CVE, CVEGroupEntry.cve)
.join(CVEGroupPackage, CVEGroup.packages)
.outerjoin(Advisory, Advisory.group_package_id == CVEGroupPackage.id)
.group_by(CVEGroup.id).group_by(CVE.id).group_by(CVEGroupPackage.pkgname)
.order_by(CVE.id)).all()
if not group_data:
return not_found()
group = group_data[0][0]
issues = set([cve for (group, cve, pkg, advisory) in group_data])
issue_ids = set([cve.id for cve in issues])
pkgnames = set(chain.from_iterable([pkg.split(' ') for (group, cve, pkg, advisory) in group_data]))
advisories = set(advisory for (group, cve, pkg, advisory) in group_data if advisory)
if not user_can_edit_group(advisories):
return forbidden()
form = GroupForm(pkgnames)
if not form.is_submitted():
form.affected.data = group.affected
form.fixed.data = group.fixed
form.pkgnames.data = "\n".join(sorted(pkgnames))
form.status.data = status_to_affected(group.status).name
form.reference.data = group.reference
form.notes.data = group.notes
form.bug_ticket.data = group.bug_ticket
form.advisory_qualified.data = group.advisory_qualified and group.status is not Status.not_affected
issue_ids = sorted(issue_ids, key=issue_to_numeric)
form.cve.data = "\n".join(issue_ids)
if not form.validate_on_submit():
if advisories:
flash('WARNING: This is referenced by an already published advisory!', 'warning')
return render_template('form/group.html',
title='Edit {}'.format(avg),
form=form,
CVEGroup=CVEGroup)
pkgnames_edited = multiline_to_list(form.pkgnames.data)
group.affected = form.affected.data
group.fixed = form.fixed.data
group.status = affected_to_status(Affected.fromstring(form.status.data), pkgnames_edited[0], group.fixed)
group.bug_ticket = form.bug_ticket.data
group.reference = form.reference.data
group.notes = form.notes.data
group.advisory_qualified = form.advisory_qualified.data and group.status is not Status.not_affected
cve_ids = multiline_to_list(form.cve.data)
cve_ids = set(filter(lambda s: s.startswith('CVE-'), cve_ids))
issues_removed = set(filter(lambda issue: issue not in cve_ids, issue_ids))
issues_added = set(filter(lambda issue: issue not in issue_ids, cve_ids))
issues_final = set(filter(lambda issue: issue.id not in issues_removed, issues))
issues_changed = any(issues_added) or any(issues_removed)
# remove old issues
for issue in filter(lambda issue: issue.cve_id in issues_removed, list(group.issues)):
group.issues.remove(issue)
flash('Removed {}'.format(issue.cve_id))
# add new issues
severities = [issue.severity for issue in list(filter(lambda issue: issue.id not in issues_removed, issues))]
for cve_id in issues_added:
# TODO check if we can avoid this by the latter append call
cve = db.get(CVE, id=cve_id)
if not cve:
cve = CVE.new(id=cve_id)
db.get_or_create(CVEGroupEntry, group=group, cve=cve)
flash('Added {}'.format(cve.id))
severities.append(cve.severity)
issues_final.add(cve)
group.severity = highest_severity(severities)
pkgnames_removed = set(filter(lambda pkgname: pkgname not in pkgnames_edited, pkgnames))
pkgnames_added = set(filter(lambda pkgname: pkgname not in pkgnames, pkgnames_edited))
pkgnames_changed = any(pkgnames_removed) or any(pkgnames_added)
# remove old packages
for pkg in filter(lambda pkg: pkg.pkgname in pkgnames_removed, list(group.packages)):
group.packages.remove(pkg)
flash('Removed {}'.format(pkg.pkgname))
# add new packages
for pkgname in pkgnames_added:
db.get_or_create(CVEGroupPackage, pkgname=pkgname, group=group)
flash('Added {}'.format(pkgname))
# update scheduled advisories
for advisory in advisories:
if Publication.published == advisory.publication:
continue
issue_type = 'multiple issues' if len(set([issue.issue_type for issue in issues_final])) > 1 else next(iter(issues_final)).issue_type
advisory.advisory_type = issue_type
# update changed date on modification
if pkgnames_changed or issues_changed or db.session.is_modified(group):
group.changed = datetime.utcnow()
flash('Edited {}'.format(group.name))
db.session.commit()
return redirect('/{}'.format(group.name))